The OAuth domain name is the domain name that will be used to restrict the value of the redirect_uri parameter when authenticating from your application. This is done as a security precaution to prevent others from using your API key and redirecting to a domain name that does not match the one specified in the registration form.
The API documentation page ...

You can register apps that aren't web apps.
This page: http://api.stackexchange.com/docs/authentication, gives details for registering a Desktop Application. A mobile phone app comes under the category of a desktop application.
You should use the implicit flow, so check the box at the bottom of registration form, and for the OAuth domain use: ...

We moved from nginx to HAProxy for our SSL provider this weekend as part of a larger rollout. In the move, we shifted our header checks to the now de-facto standard SSL protocol header. While I thought I fixed all the apps relying on the old header and standardized everything internally, stackexchange.com was left out and thought your auth requests weren't ...

I found answer myself and posted in my blog post StackAlert Firefox Extension error key is not valid for passed access_token
Solution in brief
When you remove the application from StackExchange apps, and even after uninstalling the extension from Firefox, you will still have traces of that extension in Firefox.
To make this extension work again, we have ...

The token does not appear because of the way urllib2 handles the redirect. I am not familiar with the details so I won't elaborate here.
The solution is to catch the 302 before the urllib2 handles the redirect. This can be done by sub-classing the urllib2.HTTPRedirectHandler to get the redirect with its hashtag and token. Here is a short example of ...

Yes, calls to /access-tokens/{accessTokens} use API quota. You can see that by repeatedly running /2.2/access-tokens/XBWL0stf*YIOCl7WpJHqYA)) for example.
With each call, the quota_remaining value will decrease.
However, there is no reason that the token check has to use the same key as your main app. The token check and your main app would then use ...

In a nutshell and don't know ask me how to write this in C#:
That first "500 error" page is normal. You must display that to the user and the user must approve.
When the user approves, the page will redirect to a page (nominally stackexchange.com/oauth/login_success) with the access_token in the URL parameters. For example:
...

This is status-bydesign.
You'll note on the authentication documentation:
Desktop applications cannot participate directly in OAuth 2.0 flows,
however the embeddable browser controls available in most frameworks
make it possible to work around this limitation.
Desktop applications should use the implicit client-side flow, hosting
the process ...

If a user has any authorized applications, the apps tab appears on their profile pages.
From the page linked a user can see their authorized applications, and de-authorize any of them.
That link probably won't be conditionally displayed forever, but we haven't got anything to show in the "emtpy" case just yet.